Review Synergyse Training for Google Apps

RESOLVED FIXED

Status

mozilla.org
Security Assurance: Review Request
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: jen, Unassigned)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Synergyse Training was purchased for all Mozilla users for the Gmail migration project.  As this is a marketplace app that we need to install on our Enterprise Google account - we would like someone from Security to check it before we install it.
(Reporter)

Comment 1

3 years ago
to me, David, Majid, Varun
Hi Jennifer,

Our responses are below.  Please let us know if you need any additional information or clarifications.

Jarod 

    Overall

        Please describe the overall purpose of the system and how Mozilla data will be integrated
        Synergyse Training for Google Apps™ video portal is a web-based solution that provides video training for Google Apps™. Synergyse only has access to view your user's email addresses & organizational unit (via installation of the Synergyse Marketplace application). We do not have access to view any customer data, nor do we store any data in our database related to the user other than their email address & organizational unit. We send and store data only relating to usage of our training application, such as lesson playback and completion. This is used so you can generate reports of usage within your organization, and generate reports for specific organizational units.

    Security Management

        Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results.
        Yes. We treat all input data as potentially bad data, so it always processed through appropriate filters. For example, data passed into SQL uses Java’s Statement framework and avoids use of raw queries.
        For authentication we use OAuth2 and SSL to protect cookies.
        Our Javascript clients communicate with the backend over SSL and POST requests, which follows CORS rules and helps prevent Cross Site Scripting and Request Forgery attacks. All end-user redirects forward user’s browser to our own properties, which helps to prevent phishing attacks.
        All access to user-specific data goes through an authentication filter and user-roles framework on the backend, which helps protect references to user data that the accessing user does not have permission to.
        Majority of our server configuration is handled by our cloud host (Google App Engine) and we constantly review and update our dependencies in order to bring them to the latest version. Our philosophy is to limit number of dependencies as much as possible before thoroughly reviewing and integrating them into our system. When possible we would sandbox the dependency.
        Sensitive data is protected on case by case basis based on sensitivity and internal audits. For user authentication data we can reset user access as soon as we know that the user’s login information was compromised. For credit card information we use an intermediary (Stripe.com) which handles the PCI compliance.

        Has a security audit been performed by an external third party? If so, who performed this audit and are the results available?
        Not at this time, security audits have been performed internally.

        How do you protect Mozilla data that will be stored on your servers or within your applications?
        Data is stored with 128-bit AES encryption in the Google Cloud SQL platform.

        How do you prevent other customers of your service from obtaining access to data provided by Mozilla?
        Customers can only access data related to their own Google account, domain administrators only have access to data related to their own domains. We use Google OAuth2 authentication to verify the correct user access levels.

        What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data?
        In the event of a compromise we would notify our customers within 24 hours.

        Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result.
        No

        What other large engagements/clients have you supported with this application?
        News Corporation, Woolworths, Denny’s, Scott’s MiracleGro

    Technical Design

        Do you support full SSL communication for all inbound and outbound communications?
        Yes all communication is done over SSL with TLS encryption.

        Describe the technology stack of the application and infrastructure.
        Our backend service is completely hosted on the Google Cloud Platform, and runs on Google App Engine, Google Cloud SQL & Google Cloud Storage. From a data security perspective, we are housed in the same data centers as Google Apps. All data is encrypted (128-bit AES) and secured (TLS) during transport and storage. We use Google OAuth2 for authentication against Google accounts, which is Google's recommended method for securely authenticating.

        What options do your support for authentication?

            username/password

            certificate based authentication

            secret token
            We support Google OAuth2

        Are authentication secrets (e.g. passwords) stored in a non-reversible form within your database (e.g. hashing)?
        N/A, we do not store passwords

        What type of hashing algorithm do you use (e.g. sha512, md5, bcrypt)?
        N/A, we do not store passwords

        Are salts added to the hashing algorithm which are unique for each user?
        N/A, we do not store passwords

        Will user passwords (or authentication secrets) be available to any other users via any functionality (example, admin users can see clear text passwords of users)?
        N/A, we do not store passwords

        Do you use third party servers or do you host the servers yourself?
        We use Google Cloud Platform (AppEngine, Cloud SQL and Cloud Storage)

        Do you use any third party services or communicate with any third parties from this application?
        We use Stripe as a payment processor, but this functionality will not be exposed to your users.

    Security Verification

        Will testing of the running application be possible?
        Yes, we have testing and staging servers

        Will source code for their application be available?
        No, our application is closed source

        Do you have attestation reports from any other vendors regarding your security posture?
        No

        Do you have any other security certifications that may be relevant? No
(Reporter)

Comment 2

3 years ago
Julien Vehent
	
Nov 3 (2 days ago)
		
to me, David
Thanks Jen,

Their security doc states that "Synergyse only has access to view your
user's email addresses & organizational unit". That's low risk, all that
data is mostly public anyway. And I don't see any vector of exploitation
in their workflow that would reduce the security of gmail itself.

From a security point of view, it's good to go. You may want to capture
this is a bug and link the security doc for future ref.

Thanks (and sorry again for the late reply).
Julien

On Mon  3.Nov'14 at 16:54:58 -0800, Jennifer Hayashi wrote:
> Hi Julien -
>
> Here's the documentation I received from the vendor.   I'll also forward
> the questionnaire you sent to the vendor and get back to you as soon as I
> hear back.   A little background, we've already purchased this video
> training, legal signed off on the contract -- but since the install does
> require some information to be exchanged - we thought it best to have
> someone from Security to verify there's no glaring issues before we deploy
> it out to the entire company.
>
>
> Hope that helps,
> Jen
>
>
> ---------- Forwarded message ----------
> From: Jennifer Hayashi <jhayashi@mozilla.com>
> Date: Wed, Oct 29, 2014 at 11:49 AM
> Subject: Fwd: Synergyse install
> To: "Stevensen, Joe" <joes@mozilla.com>
> Cc: "Lim, Edward" <limed@mozilla.com>
>
>
> Hi Joes -
>
> This is the video training that we'll be enabling in Google.   In order to
> set this up, we need to add the Synergyse App to the domain which will then
> be authorized to grab certain information from our Google domain.   Can you
> take a quick look at these and let us know whether you see any glaring
> problems?  If not, we want to enable it this week.
>
> I've enabled this in our test environment if anyone wants to test it out.
>
> Thanks!
> jen
(Reporter)

Comment 3

3 years ago
Created attachment 8517633 [details]
Synergyse-VideoPortalSecurityDesign.pdf
(Reporter)

Comment 4

3 years ago
This was installed in production.  Submitting this bug for future reference.
(Reporter)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.